How I do to User/Machine Certificate + LDAP User/Pass Authentication?

Coy Hile coy.hile at
Tue Nov 24 11:56:30 CET 2020

> On Nov 23, 2020, at 8:34 AM, Alan DeKok <aland at> wrote:
>>  Does it not, then, depend on where the user is authenticating? If it’s
>>  a builtin windows thing (for, say, 802.1x or similar, one may be out of
>>  luck.  But it might make sense in the context of, say, a VPN client to
>>  verify the source device is within policy before authenticating the end
>>  user.
>  Except that with a VPN, it *won't* do host authentication separately.  It will only do user authentication.  And you *might* get a MAC address or other machine identification.  But likely not.

Hmm, doesn’t that depend on the VPN client (and server for that matter)? But that may be getting off into the weeds and unrelated to FreeRADIUS. So, to bring this back to a RADIUS-centric discussion. Assume the VPN client sends the concentrator both a machine certificate and the user’s credentials.

Is it possible to configure the server in such a way that it’d work like I described? That is, I guess, to require that multiple modules succeed, namely whatever does the cert verification and, say, ldap talking to the Directory?

Like I said, as long as I’ve been on this list, most of the content is orthogonal to my existing use case (that of authenticating and authorizing administrative sessions to network gear). So, I’m trying to learn more about the meat and potatoes, as it were.


Coy Hile
coy.hile at

More information about the Freeradius-Users mailing list